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Memorandum of Understanding between the Information 
Commissioner and the Competition and Markets Authority 


Introduction 


1. 


This Memorandum of Understanding (MoU) establishes a framework 
for cooperation and information sharing between the Information 
Commissioner ("the Commissioner") and the Competition and 
Markets Authority (“the CMA”) collectively referred to as "the 
parties" throughout this document. In particular, it sets out the 
broad principles of collaboration and the legal framework governing 
the sharing of relevant information and intelligence between the 
parties. The shared aims of this MoU are to enable closer working 
between the parties, including the exchange of appropriate 
information, so as to assist them in discharging their regulatory 
functions. 


The parties recognise that over the next few years the nature of 
bilateral, and multilateral cooperation (involving other regulatory 
agencies), will evolve with the maturation of the Digital Regulation 
Cooperation Forum and the creation of the proposed Digital Markets 
Unit. The parties will address these developments as they occur, 
including undertaking reviews of this MOU as necessary to ensure it 
reflects appropriate bilateral cooperation. 


This MoU is a statement of intent that does not give rise to legally 
binding obligations on the part of either the Commissioner or the 
CMA. The parties have determined that they do not exchange 
sufficient quantities of personal data to warrant entering into a 
separate data sharing agreement, but this will be kept under 
review. 


Overall purpose 


4. 


The purpose of this MoU is to set out the terms of the ongoing 
collaboration between the parties and replaces the previous MOU 
dated March 2015. Since agreeing our previous MOU there has been 
a step-change in cooperation between the CMA and the ICO. This is 
in part due to the increased role that personal data processing plays 
in markets that the CMA regulates, and equally the impact that 
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CMA’s regulatory decisions may have on how personal data is 
processed by businesses in the UK. 


5. The parties are committed to fostering effective working relations, 
principally by promoting a culture of cooperation and collaboration 
between the two organisations. 


The role and function of the Information Commissioner 


6. The Commissioner is a corporation sole appointed by Her Majesty 
the Queen under the Data Protection Act 2018 to act as the UK’s 
independent regulator to uphold information rights in the public 
interest, promote openness by public bodies and data privacy for 
individuals. 


7. The Commissioner is empowered to take a range of regulatory 
action for breaches of the following legislation: 


e Data Protection Act 2018 (DPA 2018); 
e UK General Data Protection Regulation (UK GDPR); 


e Privacy and Electronic Communications (EC Directive) 
Regulations 2003 (PECR); 


e Freedom of Information Act 2000 (FOIA); 
e Environmental Information Regulations 2004 (EIR); 


e Environmental Protection Public Sector Information 
Regulations 2009 (INSPIRE Regulations); 


e Investigatory Powers Act 2016; 
e Re-use of Public Sector Information Regulations 2015; 
e Enterprise Act 2002; 


e Security of Network and Information Systems Directive (NIS 
Directive); and 


e Electronic Identification, Authentication and Trust Services 
Regulation (eIDAS). 


8. Article 57 of the UK GDPR and Section 115(2)(a) of the DPA 2018 
place a broad range of statutory duties on the Commissioner, 
including monitoring and enforcement of the UK GDPR, promotion of 
good practice and adherence to the data protection obligations by 
those who process personal data. These duties sit alongside those 
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relating to the other enforcement regimes outlined in paragraph 7 
above. 


9. The Commissioner’s regulatory and enforcement powers include: 


e conducting assessments of compliance with the DPA 2018, UK 
GDPR, PECR, eIDAS, the NIS Directive, FOIA and EIR; 


e issuing information notices requiring individuals, controllers or 
processors to provide information in relation to an 
investigation; 


e issuing enforcement notices, warnings, reprimands, practice 
recommendations and other orders requiring specific actions 
by an individual or organisation to resolve breaches (including 
potential breaches) of data protection legislation and other 
information rights obligations; 


e administering fines by way of penalty notices in the 
circumstances set out in section 155 of the DPA 2018; 


e administering fixed penalties for failing to meet specific 
obligations (such as failing to pay the relevant fee to the 
Commissioner); 


e issuing decision notices detailing the outcome of an 
investigation under FOIA or EIR; 


e certifying contempt of court should an authority fail to comply 
with an information notice, decision notice or enforcement 
notice under FOIA or EIR; and 


e prosecuting criminal offences before the Courts. 


10. Regulation 31 of PECR also provides the Commissioner with the 
power to serve enforcement notices and issue monetary penalty 
notices as above to organisations who breach PECR. This includes, 
but is not limited to, breaches in the form of unsolicited marketing 
which falls within the ambit of PECR, including automated telephone 
calls made without consent, live telephone calls which have not 
been screened against the Telephone Preference Service, and 
unsolicited electronic messages (Regulations 19, 21 and 22 of PECR 
respectively). 
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Functions and powers of the CMA 


11. The CMA is a non-ministerial department and it is the independent 
regulator for competition and consumer matters in the UK. 
Established under the Enterprise and Regulatory Reform Act 2013, 
the CMA’s primary duty is to promote competition, both within and 
outside the United Kingdom, for the benefit of consumers. Its aim is 
to make markets work well for consumers, businesses and the 
economy. 


12. To carry out its duty the CMA is equipped with a broad range of 
statutory roles and functions. These include (but are not limited 


to):! 


Investigating agreements between undertakings that prevent, 
restrict or distort competition, or any abuse by an undertaking 
of its dominant position contrary to the prohibitions set out in 
Chapter I and Chapter II of the Competition Act 1998. 
Investigating and/or prosecuting individuals in respect of the 
criminal cartel offence under section 188 of the Enterprise Act 
2002. 


Undertaking market studies or making references for in-depth 
market investigations into single or multiple markets for 
goods or services in the UK under the Enterprise Act 2002. 


Investigating a range of consumer protection concerns as an 
enforcer under Part 8 of the Enterprise Act 2002, the 
Consumer Protection from Unfair Trading Regulations 2008, 
and the Consumer Rights Act 2015. 


Investigating mergers that may have the potential to result in 
a substantial lessening of competition under the Enterprise 
Act 2002. 


Conducting regulatory appeals and references in relation to 
price controls, terms of licences or other regulatory 
arrangements under sector-specific legislation. 


1 At the date of this MoU, and as a result of the passing of the UK Internal Market Act 
2020, from August 2021 the CMA is also expected to assume responsibility for 
overseeing and supporting the Office for the Internal Market in relation to its 
independent advisory, monitoring and reporting functions which it will perform to 
support the development and effective operation of the UK internal market. 
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13. 


e Providing information or advice in respect of matters relating 
to any of the CMA’s functions to the public, to Ministers or 
other public authorities. 


In exercising its statutory responsibilities, CMA will co-operate with 
sectoral regulators and encourage sectoral regulators to use their 
powers to apply relevant legislation, in the interests of competition 
for the benefit of consumers. In addition to its specific statutory 
powers, the CMA may do anything that is calculated to facilitate, or 
is conducive or incidental to, the performance of its functions. 


Purpose of information sharing 


14. 


15. 


The purpose of the MoU is to enable the parties to share relevant 
information which enhances their ability to exercise their respective 
functions. 


This MoU should not be interpreted as imposing a requirement on 
either party to disclose information in circumstances where doing so 
would breach their statutory responsibilities. In particular, each 
party must ensure that any disclosure of personal data pursuant to 
these arrangements fully complies with both the UK GDPR and the 
DPA 2018. The MoU sets out the potential legal basis for 
information sharing, but it is for each party to determine for 
themselves that any proposed disclosure is compliant with the law. 


Principles of cooperation and sharing 


16. 


17. 


18. 


The ICO may offer provision of data protection advice to the CMA, in 
the context of the CMA’s statutory roles and functions. Similarly, the 
CMA may offer provision of advice relating to any of its consumer, 
competition, markets or mergers functions, in the context of the 
ICO’s statutory roles and functions. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at her discretion, 
the Commissioner will alert the CMA to any potential breaches of 
the legislation regulated by the CMA, discovered whilst undertaking 
regulatory duties, and will provide relevant and necessary 
supporting information. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at its discretion, the 
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19. 


20. 


21. 


22. 


CMA will alert the Commissioner of potential breaches of the 
legislation regulated by the Commissioner, discovered whilst 
undertaking regulatory duties, and will provide relevant and 
necessary supporting information. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
the parties will: 


e Communicate regularly to discuss matters of mutual interest 
including developments affecting the parties’ joint projects or 
investigations. 

e Communicate regularly to discuss matters of mutual interest 
affecting work where the parties participate in multi-agency 
groups to address common issues and threats. 

e Consult one another on any issues which might have 
significant implications for the other organisation. 


The parties will comply with the general laws they are subject to, 
including, but not limited to, data protection laws; the maintenance 
of any prescribed documentation and policies; and comply with any 
governance requirements in particular relating to security and 
retention, and will process personal data in accordance with the 
statutory rights of individuals. 


The Commissioner and the CMA will exchange information on 
relevant issues of interest to the extent permitted by law, and as 
appropriate and relevant to their respective objectives. This may 
include, but is not limited to: 


e Information obtained during the exercise of either party’s 
respective functions which is relevant to the functions of the 
other. 

e Notifying the other about any relevant action contemplated 
(or taken) by one regulator which is relevant to the functions 
of the other. 

e Information obtained during the exercise of either party’s 
respective functions that is relevant for the purposes of any 
joint undertaken project or investigation. 


The Commissioner and the CMA may request information from each 
other and will include the details of the information sought and why 


it would assist them to carry out their functions. Each may suggest 
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23. 


a reasonable deadline for response, including an explanation of any 
urgency. 


The Commissioner and CMA may consult and co-ordinate in respect 
of reviews, calls for evidence and recommendations directed 
towards both parties, where appropriate. In addition, if one 
regulator considers that information it has gathered will be 
materially relevant to the other, then subject to any legal 
restrictions on the disclosure of information (whether imposed by 
statute or otherwise) it will notify the other to enable the other to 
request disclosure of such information. 


Legal basis for sharing information 


Information shared by the CMA with the Commissioner 


24. 


25. 


26. 


The Commissioner's statutory function relates to the legislation set 
out at paragraph 7, and this MoU governs information shared by the 
CMA to assist the Commissioner to meet those responsibilities. To 
the extent that any such shared information is to comprise personal 
data, as defined under the UK GDPR and DPA 2018, the CMA is a 
Data Controller so must ensure that it has a legal basis to share it 
and that doing so would otherwise be compliant with the data 
protection principles. 


Section 131 of the DPA 2018 may provide a legal basis for the CMA 
to share information with the Commissioner. Under this particular 
provision, the CMA is not prohibited or restricted from disclosing 
information to the Commissioner by any other enactment or rule of 
law provided it is "information necessary for the discharge of the 
Commissioner's functions". 


Part 9 of the Enterprise Act 2002 prohibits the CMA from disclosing 
‘specified information’? except in certain circumstances. Information 
which falls within this definition must not be disclosed unless 
disclosure is permitted under Part 9 of that Act. Accordingly, the 


2 Specified information is defined in section 237 EA02 as information which relates to the 
affairs of an individual or the business of an undertaking which has come to the public 
authority in connection with listed functions or by virtue of listed enactments and 
specified subordinate legislation. 
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27. 


CMA may share certain types of information with the Commissioner, 
including: 


e forthe purposes of facilitating any of the CMA’s functions 
(section 241(1)); 


e for the purposes of criminal or civil proceedings (section 
241A(1) and section 242); or 


e having obtained the individual or business’ consent (section 
239(1)). 


Where the CMA intends to share information with the Commissioner 
the CMA must consider the need to exclude from disclosure 
information that is contrary to the public interest, that might 
significantly harm a business or individual’s legitimate business 
interest (or interest relating to the individual’s private affairs). The 
CMA must also consider whether disclosure of information is 
necessary for the purpose which it is permitted to make the 
disclosure. 


Information shared by the Commissioner with the CMA 


28. 


29, 


The Commissioner, during the course of her activities, will receive 
information from a range of sources, including personal data. She 
will process all personal data in accordance with the principles of 
the UK GDPR, the DPA 2018 and all other applicable legislation. 
The Commissioner may identify that information she holds, which 
may include personal data, ought to be shared with the CMA as it 
would assist them in performing their functions and responsibilities. 


Section 132(1) of the DPA 2018 states that the Commissioner can 
only share confidential information with others if there is lawful 
authority to do so. In this context, the information will be 
considered confidential if has been obtained, or provided to, the 
Commissioner in the course of, or the purposes of, discharging her 
functions, relates to an identifiable individual or business, and is not 
otherwise available to the public from other sources. This therefore 
includes, but is not limited to, personal data. Section 132(2) of the 
DPA 2018 sets out the circumstances in which the Commissioner 
will have the lawful authority to share that information with the 
CMA. In particular, it will be lawful in circumstances where: 
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30. 


31. 


32. 


33. 


e the sharing was necessary for the purpose of the 
Commissioner discharging her functions (section 132(2)(c)); 


e the sharing was made for the purposes of criminal or civil 
proceedings, however arising (section 132(2)(e)); or 


e the sharing was necessary in the public interest, taking into 
account the rights, freedoms and legitimate interests of any 
person (section 132(2)(f)). 


The Commissioner will therefore be permitted to share information 
with the CMA in circumstances where it has determined that it is 
reasonably necessary to do so in furtherance of one of those 
grounds outlined at paragraph 28. In doing so, the Commissioner 
will identify the function of the CMA with which that information 
may assist, and assess whether that function could reasonably be 
achieved without access to the particular information in question. In 
particular, where the information proposed for sharing with the CMA 
amounts to personal data the Commissioner will consider whether it 
is necessary to provide it in an identifiable form in order for the 
CMA to perform its functions, or whether disclosing it in an 
anonymised form would suffice. 


If information to be disclosed by the Commissioner was received by 
her in the course of discharging her functions as a designated 
enforcer under the Enterprise Act 2002, any disclosure shall be 
made in accordance with the restrictions set out in Part 9 of that 
Act. 


Where information is to be disclosed by either party for law 
enforcement purposes under section 35 (4) or (5) of the DPA 2018 
then they will only do so in accordance with an appropriate policy 
document as outlined by section 42 of the DPA 2018. 


Where a request for information is received by either party under 
data protection laws, FOIA, or EIR the recipient of the request will 
seek the views and fully consider such representations of the other 
party as described in the FOIA section 45 Code of Practice, where 
the information being sought under the request includes information 
obtained from, or shared by, the other party. However, the decision 
to disclose or withhold the information (and therefore any liability 
arising out of that decision) remains with the party in receipt of the 
request. 
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Method of exchange 


34. 


Appropriate security measures shall be agreed to protect 
information transfers in accordance with the sensitivity of the 
information and any classification that is applied by the sender. 


Confidentiality and data breach reporting 


35. 


36. 


37. 


Where confidential material is shared between the parties it will be 
marked with the appropriate security classification. 


Where one party has received information from the other, it will 
consult with the other party before passing the information to a 
third party or using the information in an enforcement proceeding 
or court case. 


Where confidential material obtained from, or shared by, the 
originating party is wrongfully disclosed by the party holding the 
information, this party will bring this to the attention of the 
originating party without delay. This is in addition to obligations to 
report a personal data breach under the UK GDPR and/or DPA 2018 
where personal data is contained in the information disclosed. 


Duration and review of the MoU 


38. 


39. 


40. 


The parties will monitor the operation of this MoU and will review it 
no later than two years from the date of signing the agreement, and 
thereafter every two years. 


Any minor changes to this memorandum identified between reviews 
may be agreed in writing between the parties. 


Any issues arising in relation to this memorandum will be notified to 
the point of contact for each organisation. 


Key contacts 


41. 


The parties have both identified a key person who is responsible for 
managing this MoU: 
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Adam Ingle Noel Tarleton 

Principal Policy Adviser — Digital Assistant Director - Digital Markets 
Economy Team Unit 

Email: Email: 
DigitalEconomyTeam@ico.org.uk noel.tarleton@cma.gov.uk 
Telephone: 0303 123 1113 Telephone: 020 3737 6228 
Address: Wycliffe House, Water Address: The Cabot, Cabot Square, 
Lane, Wilmslow, SK9 5AF London, E14 4QZ 


42. Those individuals will maintain an open dialogue between each 
other in order to ensure that the MoU remains effective and fit for 
purpose. They will also seek to identify any difficulties in the 
working relationship, and proactively seek to minimise the same. 


Signatories 


Claudia Berg, General Counsel, Sarah Cardell, General Counsel, 
Information Commissioner’s Competition and Markets 
Office Authority 


Date: 30 April 2021 Date: 30 April 2021 


Note: This document has been signed and signatures redacted for 
publication. 


11 


